Umh, this article is dubious.<p>1. If your WAF can be fooled by adding a X-Forwarded-For header, trouble ahead.<p>2. If your security strategy is about mitigating attacks where the payload matches some regular expressions, trouble ahead. Machine learning? Double trouble ahead.<p>3. If you don't write only completely static queries[1] to then use as prepared statements or use a proper ORM[2] when using a SQL database, trouble ahead.<p>[1] <a href="https://www.akadia.com/services/dyn_modify_where_clause.html" rel="nofollow">https://www.akadia.com/services/dyn_modify_where_clause.html</a><p>[2] Like linq, jOOQ...
WAF's are never good enough. They're a weak band-aid used by companies who lack the expertise to find and fix security bugs in their own code.
That's why we now have RASP. It's better than SQL proxy and WAF, because you have both the SQL query and the HTTP parameters and you can correlate them to be super accurate